Security is primarily concerned with the protection of assets from harm. Assets can be valuable physical objects such as computers or mobile communication devices, information such as bank details or medical records, and intangible properties such as reputation. However, despite their crucial role, known techniques still do not consider assets during the development and operation of secure software systems, after early stages of requirements engineering.
This may lead to solutions that partially protect the assets of interest without the possibility to adapt when assets change unexpectedly or the applied security configuration becomes ineffective due to changes in context, or inefficient because of high implementation costs. This issue is also ignored by risk analysis and management approaches. Existing risk assessment and mitigation techniques are typically static: they are not used at runtime to re-evaluate the risk or identify a proper set of security controls when asset and/or contextual factors change.
The variability of assets and context, their respective values, and other security concerns are crucial in protecting assets in different scenarios. For example, considering a smart home domain, constituent assets such as appliances, physical belongings and the like may change, be added or removed over time. If a new, valuable appliance is purchased and installed in the smart home, the potential for its compromising increases if an attacker could unlawfully gain access to the domain. It might therefore be necessary to apply stronger authorization and authentication mechanisms to access to the energy management system that controls all the appliances in the smart home. A prolonged absence of the smart home inhabitant may also increase the probability of unauthorized access by an intruder who might steal some or all of the assets. Accordingly, the smart home alarm system might need to be re-configured, for example to be remotely controlled.
Existing research mainly focuses on providing techniques for modeling the security concerns of a software system or for performing risk assessment and mitigation. The requirements engineering community has tried to represent security concerns (threats, vulnerabilities, security goals, requirements and controls) together with the other “conventional” requirements of the system, but has never conceived assets as first class entity to identify their impact on the criticality of security goals and on the identification on potential threats and attacks.
Van Lamsweerde, in “Elaborating security requirements by construction of intentional anti-models” (Proceedings of the International Conference on Software Engineering, 2004, pp. 148-157), augmented the known KAOS goal model with anti-goals (negation of security goals) to identify threats and attacks and to facilitate the elaboration of security requirements. L. Liu et al., in “Security and Privacy Requirements Analysis within a Social Setting” (Proceedings of the IEEE International Requirements Engineering Conference, 2003, pp. 151-161) use the i* goal model to represent security and privacy requirements. In particular, actors and their intent are used to identify potential attackers, while vulnerabilities come from organizational relationships among stakeholders. Similarly, Elahi et al., in “A vulnerability-centric requirements engineering architecture: analyzing security attacks, countermeasures, and requirements based on vulnerabilities” (Requirements Engineering, vol. 15, pp. 41-62, March 2010), enriched the i* goal model by adding vulnerabilities that can be brought by system operations and domain assumptions. Some further risk assessment methods identify assets at the requirements elicitation stages. However, changes of security concerns, especially changes of assets and vulnerabilities, and their impact on security are still overlooked during software development and at runtime.
To develop a secure software system, risk assessment and mitigation, i.e. the identification of most appropriate security controls, are fundamental activities. Sahinoglu, in “Security meter: A practical decision-tree model to quantify risk” (Security & Privacy, IEEE, vol. 3, no. 3, pp. 18-24, 2005), has built a decision-tree model by connecting vulnerabilities, threats and security controls together for risk quantification. Although this approach is promising, it suffers from the limitations inherent to a hierarchical tree structure, it still does not consider assets and their variability, and it provides no links to security goals.
Sommestad et al., in “Cyber security risks assessment with Bayesian defense graphs and architectural models” (Proceedings of Hawaii International Conference on System Sciences, January 2009, pp. 1-10), has extended the influence diagram for modeling attack and defense graphs for off-line analysis. However, this approach still does not consider assets and their variability, and it assumes that conditional probabilities can be collected completely from the domain.
Further research efforts on risk-adaptive solutions, for instance by P. Cheng et al. in “Fuzzy multi-level security: An experiment on quantified risk-adaptive access control” (Proceedings of the IEEE Symposium on Security and Privacy, 2007, pp. 222-230) and by M. Covington et al in “Securing context-aware applications using environment roles” (Proceedings of the ACM Symposium on Access Control Models and Technologies, 2001, pp. 10-20) have considered risk estimation and context variability, but still ignore the variability of assets and other security concerns as a source of risk change.
Further prior art documents relating to dynamic risk assessment and management, such as US 2008/0189788 A1 and U.S. Pat. No. 6,219,805, consider different OS, network and user risk factors. Still further prior art documents relating to adaptive security in information devices and portable information devices, such as EP 2207322 and EP 2207323, consider device location and network connections. U.S. Ser. No. 12/903,525 presents an adaptive security solution for estimating likelihood of attacks in computer networks. US 2012/0204267 A1 proposes an adaptive configuration management system, which is claimed to be adaptable for security purposes. However, none of these disclosures considers, nor implements, assets, their values and their variability over time as a prominent security risk-changing trigger.
Certain domain—specific prior art documents are known to relate to adaptive security. For instance, U.S. Pat. No. 7,676,470 addresses self-discovering in data-warehousing systems using adaptive and self-generating data security changes, U.S. Pat. No. 6,209,101 proposes a method to manage a dynamic set of servers for controlling access to resources, and U.S. Pat. No. 7,174,320 relates to adaptive digital content protection with adjustable security level depending on the performance and devices of media players.
In the mobile security domain, as a growing security domain, assets and their variability are significant in determining the appropriate security configuration. Mobile devices are equipped with a wide range of applications that are increasingly used to perform personal and business tasks. For example, typical assets in a mobile phone include the phone itself, one or more subscriber identifications modules (SIM, which may includes monetary phone credit), banking and/or credit card information (increasingly so with the ongoing acceptance and roll-out of contactless payment techniques), email information (addresses, passwords, sent/received messages), and contact lists. Users may accidentally give inappropriate permissions to applications, or installed applications may not encrypt sensitive information during transmission or storage. These vulnerabilities can facilitate potential attacks. Furthermore, increasing the value of an asset (e.g. the SIM card credit value) may increase the risk of loss. Adding new assets (e.g. manipulating new information such as credit card details) may raise the threat level, by increasing the probability of breaking confidentiality of credit card details. In this context, it is necessary to continuously adapt the mobile phone security configuration to protect the valuable assets in any situation.
Many prior art documents relate to administering security settings in mobile devices and enforcing them. In U.S. Pat. No. 8,010,997, a device setting is changed to comply with necessary protection requirements for the requested data. But there is no further monitoring of the requested data after the change or any other contextual changes, for adjusting security settings. In U.S. Pat. No. 7,478,420, a server enforces security policies based on security features, such as connection type, and the installed anti-virus application type. These disclosures typically take into account contextual changes, including network and location, without considering the key role of assets and why they are required to be protected (i.e. security goals and requirements). A paper entitled “Attack Plan Recognition and Prediction Using Causal Networks” by Qin and Lee, Georgia Institute of Technology, 2005, discloses a technique for predicting potential security attacks based on observed attack activities. This technique involves the modeling of attack trees, which are then used to build a Bayesian Network. Probabilistic inference is then applied to the Bayesian Network to correlate isolated attack scenarios derived from low-level alert correlations and predict future attack scenarios. It will be appreciated therefore that this technique is purely reactive, in that it only predicts future attack plans in response to security attacks which have already occurred.
An improved method of configuring security controls and parameters in a data processing application is therefore required, and a system embodying this method, which mitigate at least the above shortcomings of the prior art, preferably in real time as assets, their values and/or the security context change.